The payment card industry data security standard (PCI DSS) update has just been released – if you’re a business that processes card data this will probably be a pretty familiar term to you. Our resident security analyst Steve explains what you need to know in light of the update and how it can make your life a whole lot easier if you get prepared now.
A bit of background…
The standard is made up of 12 different requirement groups, which further break down into over 200 individual controls. Each of these controls is geared towards improving the security of your payment processing platform, from firewall implementation and maintenance to ensuring there are substantial physical controls and CCTV on your premises.
What’s the deal with the new release?
The most current release adds even further to the confusion by a change of its format and update cycle, it’s not surprising more and more businesses are outsourcing PCI DSS management to service providers.
Hopefully the following will help simplify the headache that is PCI compliance and provide an insight into what’s changed and how it effects your compliance.
PCI DSS has moved towards a yearly update to its standard, ditching its three year cycle. This is a big change for the standard and step in the right direction. The threat landscape is evolving faster and faster with vulnerabilities being exposed in current technologies on a regular basis; (Multiple OpenSSL weaknesses, DROWN, Badlock bug, to name a few).
Moving forward, smaller more frequent changes will be required and organisations that can strategically adapt and implement these changes will ensure their Card Data Environment (CDE) remains complaint with a heightened level of security.
What’s new within the standard’s controls?
With this release there has been a move towards putting more responsibility on the service provider. This is a refreshing move as more and more businesses that fall under the PCI standard are using service providers much more frequently to de-scope their businesses and remove the stress of dealing with the 220 requirements PCI mandates.
Managing these would require a full time employee. Outsourcing to a service provider sees overheads reduced to a fraction of the price if PCI DSS compliance, so it makes sense to create more liability around the providers.
- Documenting all cryptographic architecture used including algorithms, protocols and key details (length and strength).
- Ensuring all access to customer CDE must be done using multifactor authentication.
- Ensuring that there are processes and procedures in place to detect any failures of critical security controls (firewalls, IDS/IPS, Anti-virus controls).
- Penetration testing of segmented environments needs be conducted every 6 months.
- Executive management of the PCI program needs to be documented to show that overall accountability of the services being provided is there.
- Service providers need to ensure on a quarterly basis that all personnel are:
- Following security procedures
- Applying hardening configurations to new systems
- Conducting system reviews (on firewall rules for example)
- No longer a best practice but a requirement – customers need to have a written agreement provided by the service provider that they acknowledge their responsibility for the security of the CDE used by the service provider
Other changes that have the most significance for merchants are:
- Two factor authentication (now rebranded as multi factor authentication) is now required not just for remote access but for all internal access to components within the CDE.
- The deadline for using SSL and TLS early versions has been extended to 2018 for those who can justify using them. There has been an additional appendix added for businesses to fill in if they wish to continue doing this. However, this should not be seen as an excuse to push migration for another 2 years! Early versions of SSL/TLS are insecure.
A large amount of these controls are documented as being “best practise” for the next two years and not a requirement, but any serious service provider will be implementing these ASAP or have them already in place as part of their security management system.
(By providing services to clients, surely you would want to have a level of assurance that says they are doing as much as possible to keep you protected and not just doing it to comply with an industry standard anyway!)
UKFast will be moving towards PCI DSS 3.2 within the next few months and fulfilling every control that is applicable to us as a service provider, best practise or a requirement.
Give us a call on 0208 045 4945 to find out more about ensuring you’re sorted well in advance!